Jakob Balle and Carsten Eiram of Secunia Research reported a race condition
in NPObjWrapper_NewResolve when accessing the properties of a NPObject, a
wrapped JSObject. Balle and Eiram demonstrated that this condition could be
reached by navigating away from a web page during the loading of a Java
applet. Under such conditions the Java object would be destroyed but later
called into resulting in a free memory read. An attacker could potentially
write to the freed memory before it is reused and run arbitrary code on the
victim's computer.